Inside the Syrian Electronic Army Washington Post Attack

By Sean Michael Kerner |
Posted 2013-08-17

Inside the Syrian Electronic Army Washington Post Attack

The Washington Post reported Thursday, Aug. 15 that it had been the victim of an attack by a group known as the Syrian Electronic Army (SEA). The intrusion involved both a phishing attack against a staff writer's Twitter account as well as some Washington Post page redirections by way of an exploit of the Outbrain advertising and content discovery platform.

So what exactly is the SEA, and perhaps more importantly, what can and should publishers and enterprises do to protect themselves from being victims?

The SEA, which is aligned with Syrian President Bashar al-Assad, has a long history using various attack methods, said Jason Lancaster, senior intelligence analyst at Hewlett-Packard's Security Research division.

"The group's motivation, spreading pro-Assad messages, has not changed, but we have seen the volume of activity escalating over the past few months as well as the evolution of its tactics," Lancaster, who has been tracking the SEA's activities for years, told eWEEK.

In Lancaster's view, attacking Websites through third parties, as they have done in this attack with Outbrain, is part of this escalation of events.

"This is not a typical tactic used by the SEA but is something we have known the group is capable of for a while," Lancaster said.

The third-party attack—in which a widget from Outbrain, which was resident on The Washington Post Website, led to an unintended page redirection—is eerily reminiscent of an attack that WhiteHat security researchers described at the Black Hat conference at the end of July. In the WhiteHat research, JavaScript was inserted into ads and used to build a botnet. In The Post attack, an ad network (Outbrain) was also the conduit for attacking a site.

"This is an example of the power of the ad network when it comes to malware distribution," Matt Johansen, manager for the Threat Research Center at WhiteHat Security, told eWEEK. "Instead of buying an ad and then later tainting it, the attackers here went after the ad network portal itself via social engineering emails."

In the SEA case, once the attackers were in the ad network's admin panel, they had one of the world's most efficient and powerful distribution tools at their fingertips and they used it, Johansen said.

"Although we don't have firsthand knowledge of the malware, it doesn't seem to be using JavaScript like the botnet from our recent research," Johansen said. "It would appear to be a more traditional drive-by malware download via the malicious ad loading in the browser."

What The Washington Post Did Right

While the fact that The Washington Post was hacked is not a good thing, some positive lessons can be learned from the event.

The Washington Post had a strong security response plan and ultimately did a good job managing the issue, Kyle Adams, chief software architect for Junos WebApp Secure at Juniper Networks, told eWEEK.

"They reacted very quickly to mitigate the problem by identifying the issue, quickly mitigating future damage by blocking the threat and then were transparent about the incident," Adams said. "So, from my perspective, they did everything exactly as they should have."

Inside the Syrian Electronic Army Washington Post Attack

The attack on The Post exposes the complexity that exists on the modern Web and the diversity of security threats that it brings, Adams said. Often, it's not sufficient just to secure a primary site; companies must make sure all the trusted third-parties that place ads, widgets or other services on the site are secure, as well, he added.

Outbrain is entirely responsible for this attack, and they should address the issues with how they secure their own product to keep customers, and ultimately consumers, safe, Adams said.

"Once Outbrain was compromised, it would have taken the attackers just a few extra clicks to scale the attack far beyond a single customer of the company," Adams said.

Outbrain has now secured its network and verified the integrity of its code, Yaron Galai, the company's CEO, said in an Aug. 15 blog post.

Where Will SEA Strike Next?

Though TheWashington Post and Outbrain have deflected the current attack, it is likely that the SEA will strike again.

"For the SEA's primary targets, which include mainstream media and any group perceived as supporting Western values, organizations should be particularly vigilant in monitoring for phishing attacks and SQL injection, as these are primary vectors for attack for the SEA," Lancaster said.

At-risk groups should enforce strong password policies, maintain unique passwords for each social media site and closely monitor corporate Websites for any out-of-process changes, Lancaster said. The use of two-factor authentication for social media sites is also a good best practice to further help reduce the risk of exploitation, he added.

"Attackers leveraging ad networks to distribute malware is not new, and care must be taken to ensure that the content pushed through from these third parties is not malicious," Lancaster said. "Today, global media organizations and individuals with access to those organizations' social media accounts should be considered high-risk targets and should operate with a high level of caution."

The success with which the SEA has been able to attack media sites to date is a leading indicator for Lancaster that the attacks will continue into the future.

"When a group is highly successful using techniques that are relatively easy to execute with little to no threat of retaliation from the victims, we do not expect the attacks to stop," Lancaster said. "In fact, the frequency and value of targets may increase."

Shutting down the SEA is not an easy task either, given the global nature of the Internet. Lancaster noted that a number of SEA domains, including syrian-es.com, syrian-es.org and syrian-es.net, have been shuttered.Fifteen of the SEA's Twitter accounts have been suspended, and a sixteenth is likely to be shut down as well.

The highly visible attacks by the SEA began during the Arab Spring with increasing geo-political tensions in Syria, Lancaster said. "These tensions have not eased, and as this is a primary motivator of the group, we do not anticipate its attacks stopping until the unrest in Syria comes to an end," he said.